Automatically Renew User Certificates from Inhouse CA?

[mvanzwieten]

Hi Everyone,

I'm running a Win2k CA inhouse tied directly into Active Directory. In
order to make use of EAP/TLS over VPN, I've logged onto local user's
laptops, and downloaded user certificates for them from the CA webpage
onto their laptops, and they use these certs when connecting through
the VPN.

The issue is this... The certificates are only good for 1 year. They
do not renew themselves when they expire, and basically lock the person
out from even using EAP/TLS over VPN after they expire.

In order to get them working again, we have to manually browse over to
the CA webpage, and download a new user cert all over again, deleting
the old one that still sitting there, expired.

Is there anyway to automatically make these user certs renew, or
possibly force a renewal of that user cert on that machine?

I would appreciate your advice!


Thank you,
Mike

 

[Chriss3 [MVP]]

If your computers are joined to the domain, and sometimes connect to the
network, you can use Group Policy and autoenrollment to push certs.

The autoenrollment feature has several infrastructure requirements. These
include:

.. Windows Server 2003 schema and Group Policy updates

.. Windows 2000 Server domain controllers running Service Pack 3 or later

.. Windows XP Professional or Windows Server 2003 clients

.. Windows Server 2003, Enterprise Edition or Datacenter Edition running as
an Enterprise CA


--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup

 

[Herb Martin]

Hi Everyone,

I'm running a Win2k CA inhouse tied directly into Active Directory. In
order to make use of EAP/TLS over VPN, I've logged onto local user's
laptops, and downloaded user certificates for them from the CA webpage
onto their laptops, and they use these certs when connecting through
the VPN.

(Most) Auto-enrollment and Auto-Renewal are new
to Win2003, so take a look Chris post which discusses
infrastructure requirements in more detail.

I believe you will find that unless you have Win2003,
that you will not be able to do auto-renewal.

 

[mvanzwieten]

Thanks Chris... Yeah, I haven't found any documentation supporting
Win2k certificate servers of being able to autoenroll... I did find
docs on how to do that with Win2k3 servers. If you know something I
don't about autoenrolling actual user certificates using Win2k server,
please let me know! Thanks again.

Mike.

 

[Herb Martin]

Thanks Chris... Yeah, I haven't found any documentation supporting
Win2k certificate servers of being able to autoenroll... I did find
docs on how to do that with Win2k3 servers. If you know something I
don't about autoenrolling actual user certificates using Win2k server,
please let me know! Thanks again.

It is a documented NEW FEATURE of Win2003.

 

[mvanzwieten]

Thanks Herb. I'm going to have to draw up some procedures for users to
do this themselves, and for those who have a cow with it, I'm going to
have to extract the cert for them, and email it to them... with
instructions on how to install/remove the old one. <sigh> Win2k cert
services really is a pain in the kiester.

 

[Herb Martin]

Thanks Herb. I'm going to have to draw up some procedures for users to
do this themselves, and for those who have a cow with it, I'm going to
have to extract the cert for them, and email it to them... with
instructions on how to install/remove the old one. <sigh> Win2k cert
services really is a pain in the kiester.

Win2003 is your friend. <GRIN>

It is really just NT 5.2.

I still think both Microsoft and customers would be better
off if the names had never been changed...

NT 5.2 Windows Server 2003
NT 5.1 Windows XP
NT 5.0 Windows 2000
etc....